[tor-bugs] #13026 [Tor Browser]: Verify screenX and screenY are spoofed sanely

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Sep 3 00:19:36 UTC 2014


#13026: Verify screenX and screenY are spoofed sanely
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  tbb-team
  mikeperry              |     Status:  new
         Type:  defect   |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  ff31-esr, tbb-easy, tbb-testcase,
  Browser                |  tbb-fingerprinting, TorBrowserTeam201409Easy
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------

Comment (by arthuredelstein):

 Replying to [comment:5 mcs]:
 > Replying to [comment:4 gacar]:
 > > Checking the relevant Mozilla bug
 [https://bugzilla.mozilla.org/show_bug.cgi?id=943668 #943668] and
 [https://hg.mozilla.org/releases/mozilla-aurora/rev/5b7edf143247 landed FF
 patch], it seems
 [https://gitweb.torproject.org/torbrowser.git/blob/HEAD:/src/current-
 patches/firefox/0021-Do-not-expose-physical-screen-info.-via-window-
 and-w.patch existing TBB patch #0021] is still ok but needs to be updated
 for ESR31 to cover this new method: [https://mxr.mozilla.org/mozilla-
 esr31/source/dom/base/nsGlobalWindow.cpp#4991 nsGlobalWindow::GetScreenXY]
 >
 > It looks like Arthur already patched that method:
 > https://github.com/arthuredelstein/tor-
 browser/commit/0c95ccb313bfc059e8d3433edeb6c4b4a9309569
 >
 > > For the device/CSS pixel difference, TBB bluntly returns 0 from the
 methods changed in the Firefox's patch (`GetScreenX, GetScreenY`). So I
 guess it should be ok.
 >
 > If Arthur agrees that he has already taken care of the new methods, this
 bug should be closed.

 I think this patch is OK, but it would be good if someone other than me
 can review that patch for correctness :). Note that there is a fixup for
 this patch (https://github.com/arthuredelstein/tor-
 browser/commit/5d00edbfe6492c7636bc349450878d2a7f5b54fa) and also some
 mochitest-plain regression tests (https://github.com/arthuredelstein/tor-
 browser/commit/07ef3362124e1df51f02782220c3519ab69f4cfd), which currently
 pass.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13026#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list